OnPoint by Keith Ng


"Project SPEARGUN underway"

Let's get this out of the way: The Warner Bros email was a complete clusterfuck. Faced with claims that the emails were fake, TeamDotcom did a TeamKey - they got Hone to send it off to the Privileges Committee then flat out refused to talk about it because, apparently, it needs to work through that process and talking about it would somethingsomethingsubjudicelookoverthere. They refused to talk about where it came from, and when asked whether it was fake, Kim Dotcom could only manage a "to the best of my knowledge" response, and said they weren't there to talk about that email (contrary to what he's been saying for months, right up to yesterday).

Basically, they have no confidence in the veracity of that email - and so neither should we.


Glenn Greenwald's material, on the other hand, is solid. He has documents showing the progress of a programme called "SPEARGUN". According to Greenwald, this project involved the "covert installation of 'cable access' equipment" on the Southern Cross cable (i.e. Tapping into New Zealand's traffic with the rest of the world). The existence of this capability cannot be denied.

In response to the Southern Cross cable's operators saying that such a thing was impossible, Snowden (who videoconferenced into the event) asked (I'm paraphrasing): What makes the Southern Cross cable so special that it cannot be accessed undetected by the NSA, when everyone else around the world can be?

The new documents show that the GCSB had a cable access project underway, followed by another document that Phase 1 was "achieved". More crucially, he has a message showing:

(TS//SI//NF) New Zealand: GCSB's cable access program SPEARGUN Phase 1; awaiting new GCSB Act expected July 2013; first metadata probe mid 2013.

This shows that they had to wait for the GCSB Act to be passed before SPEARGUN could be used. i.e. The new GCSB Act - the one that supposedly wouldn't expand GCSB powers - expanded GCSB powers to allow them operate a metadata probe on the this cable which they'd tapped.

If this is false, John Key could simply say "SPEARGUN doesn't exist". If SPEARGUN never went anywhere, he could say that too.

Instead, what Key has done is release a bunch of documents about a programme called CORTEX. This was a plan to provide malware detection and disruption services to companies and ISPs.

CORTEX has nothing to do with SPEARGUN:

  • SPEARGUN sits at the major highways of our network, extracting metadata from the traffic that goes through and sending it elsewhere. CORTEX sits at the driveway of businesses and ISPs, checking what goes in and out for signs of malware activity. The two are very different beasts.
  • The metadata probes that Greenwald refers to are used to covertly extract metadata. According to the Cabinet papers, CORTEX "will in all cases operate with the consent of the participating organisations". The programme described in Greenwald's documents is not CORTEX.
  • According to Key, a "test probe" was built to sit on the Southern Cross cable. That is the whole country, not "participating organisations". Further proof that the purpose of the probe had nothing to do with CORTEX.

Why does the probe itself matter? It proves that most of what we know about SPEARGUN is correct. The Government was considering the use of such a probe to get metadata via cable access, and went - at the very least - as far as building one.

Key never said SPEARGUN stopped. He only said CORTEX stopped. In fact, all this elaborate song and dance has been put in place so he can *look like* he's addressing SPEARGUN, when he is doing nothing of the sort.

We are owed some real answers.


Why does the top 10% paying more tax? (An interactive story)

I don't understand why National's is trying to get everyone to want tax cuts. And I don't understand how he can get away with this bullshit "12% of households pay 76% of net taxes" line.

"Net taxes" is not a real thing. These are the official tax statistics published by the IRD. "Net taxes" is not among them, nor should it be, because it's estimate of a bunch of arbitrary measures, put together for entirely political ends.

So, I've put together the IRD tax statistics from 2003-12 into this interactive data visualisation, to look at whether the top 10% pay a disproportionate amount of tax, and why.


Budget 2014: Yeah okay.

Visualisation is here!

It's a very political budget designed to woo Labour voters - but it should, because the headline policy is actually quite good. I mean, who can complain about extending free primary health care and paid parental leave? It's a great way to spend $500m.

The big worry though, should be in Health. Ryall claims that health spending has reached "a record $15.6b". That's up about 5.4% from last year in real terms... except that $490m of that is refinancing costs (here and here). The trend for actual health spending is much more problematic - it's holding static for the forecast period, and once demographic changes and inflation is taken into account, it's actually falling by nearly 15% in real terms.

That probably won't *actually* happen. More money will be spent on health before we get to that point, but it's a reminder that health is a huge gaping maw that will swallow up a lot money - in case you were thinking about tax cuts already.

Speaking of tax cuts - jesus, are you guys for real? So I've had my head stuck in code all week (er, month), and haven't been paying attention, but it's become clear that the hints about tax cuts were dropped to remind the Gallery of their one true love: Budget items which translate directly into "How Much $$$ Will You Receive" headlines. And the bulges in the Gallery's pants were already starting to show in the Budget lock-up, which bodes poorly for the election. FFS GUYS, STOP BEING SO EASY TO MANIPULATE.

The other clear political message was that $1.5b of new spending was the *only* responsible amount to spend, and that if Labour/Greens promised more than $1.5b of spending, the terrible wrath of interest rates will fall upon us all. I'm taking this with a small pinch of salt.

Ultimately, I think this budget is fine, and National really is doing a reasonable job of managing the finances. I expressed doubts a few budgets ago them pushing the cuts to future governments, but here we are, they've actually worn the worst of the cuts. On the other hand, Bill English takes an awful lot of credit for the economic weather, and blames Labour for the same. We haven't had amazing growth because of National's amazeballs management of the economy - the economy doesn't magically sprout flowers because we hit a surplus target. We simply rebounded from EQNZ and the global economy recovered from the GFC.

More on this next week.

For bonus points: The Porcupine visualisation isn't quite ready yet, but all the data is there if you want to explore for yourself.

Sound of Thunder

My grandfather, in his teens, almost starved to death. His father did starve to death. Before my great-grandfather died, he told my grandfather to leave his two infant sisters behind. My grandfather buried him by himself, and three days later, the elder of his two sisters died. He left the younger sister with a relative, and she too starved soon after.

This is not something I particularly wanted to write about. My first memory of my grandparents' place is of a nice apartment on a leafy street in Hong Kong. That was the world I was born into. That was The World. People starved in Africa, but that's okay, because that's a different world.

My grandfather died when I was four. I wasn't told this story until I was well into my 20s. It's a strange thing to find out that the world as I knew it had barely existed for a decade when I was born. And that my family came from a different world, with experiences that I couldn't even begin to imagine.

But having understood how much the world can change in two generations, I don't understand how people can believe that their world will never change. I don't understand how people can look at the world which the IPCC describes, mouth the words that "climate change is a very serious issue" and simply assume that it would be the same world of flat whites and iPhones that their children inherits. I don't understand how people can accept science describing a world with food and water insecurity, with freak heat waves and droughts and hurricanes, and just believe that their world will continue as is.

Your children may not enjoy a world of growth and prosperity. Your grandchildren may not live in a world of safety and security. Your great-grandchildren may not have three meals a day.

Sometimes I wonder what my great-grandfather's dying thought was. He was, at one point, an engineer of sorts. He built fish (or maybe shrimp?) traps for the village. From what I gather, it was a system of dams which caught stuff when the tide went in and out. We all think like engineers in our family, so maybe he thought about what went wrong, what he could've done differently.

He understood the catastrophe that was coming when the Japanese invaded, and then when China descended into civil war. He tried to prepare. He had, from what I understand, had taro milled and stashed away for a rainy day. But he got sick, and by the time that rainy day came, the food he had stashed had spoiled or been stolen.

Maybe he thought about what he could've done differently. Or maybe his last thought was about how utterly and catastrophically he had failed his children.

That was 70 years ago, and not very far away.


The Big Guns: Truecrypt and Tails


One of the simplest ways to encrypt stuff is with Truecrypt. It runs on Windows, Macs and Linux. It requires no installation, so you can run it off a thumbdrive. You can use it to create an encrypted container file, or to encrypt an entire drive.

Encryption containers are quite handy. When decrypted, they work just like a normal drive. But once you lock it, the whole drive disappears and becomes an encrypted file which can't be read without the password. Apart from that, it's like any other file - you can copy it wherever, put it on a USB stick, or even put it on Dropbox so that it syncs between your computers.

You can also encrypt entire drives. The whole drive will look like random data, and be unreadable without the password. Of course, anyone looking at the drive will see that it contains random data, and conclude that it must be an encrypted drive. This comes back to the problem I mentioned last time - that you can be compelled to give up your password, so what's the point of encryption?

This is where Truecrypt works its magic. You can create a hidden volume with Truecrypt - that is, create a hidden encrypted drive *inside* another encrypted drive. A drive with hidden encryption (i.e. Two layers, one hidden beneath the other) looks exactly the same as a drive with normal encryption (i.e. One layer). It's easy to prove that there is an encrypted layer, and you can be compelled to give up *a* password - but it is impossible to prove the existence of the second layer, so they can't compel you to give up the password to it.

This is, of course, some tricky shit. If you're going to go down this path, you really need to read the full documentation.


Encryption is maths. You can't hack maths, but you can hack computers. Rather than trying to break your encryption lock, it's much more likely that any adversary will just try to steal your key by compromising your computer. There's also a decent chance that your computer is compromised not because you're a target, but just because you clicked on the wrong thing at some point in the past.

One catch-all solution is to bypass your computer operating system altogether. The A in TAILS stand for "amnesiac". The whole operating system boots from the USB drive and straight onto your RAM. Nothing is saved - this means that you can click on all the viruses and trojans in the world, but when you reboot, you start with a clean system again.

Tails and Truecrypt combined is a very powerful combination. Your data is encrypted by Truecrypt, and your password only ever goes between you and the temporary operating system, which ceases to exist when you turn the computer off. The only way, in this system, to crack your data is to plant a physical bug in your computer, to install a camera over your keyboard, or to beat/coerce the password out of you.

Tails also comes packaged with Tor Browser, which uses Tor to redirect your traffic and mask where its coming from. It also comes with its own PGP tools, which you can use for encryption/decryption on the fly. Truecrypt is turned off by default, but if you want to use it, you can just type in "truecrypt" on boot (or carry the file in the drive containing Tails).


I think that's it for now. Feel free to post links to your favourite tools in the discussion below. Keep in mind that the focus here is on practical solutions for users with minimal expertise fighting real world, resource constrained adversaries. So let's not go overboard eh.

In other news, the Lavabit story is out. And jesus. It's a depressing read. If you think the state shouldn't be omniscient, please help the cause by donating to his defence fund. If you liked my security stuff so far and/or found it useful, please do me a favour by donate to his defence fund, so I can feel a little less nauseous about where we're headed.